Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • BIND BIND
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
  • Issues 634
    • Issues 634
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 89
    • Merge requests 89
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • ISC Open Source ProjectsISC Open Source Projects
  • BINDBIND
  • Issues
  • #3216
Closed
Open
Issue created Mar 17, 2022 by Ondřej Surý@ondrejOwner

[CVE-2022-1183] Destroying TLS stream too early triggers assertion failure

CVE-specific actions

  • Assign a CVE identifier

  • Determine CVSS score

  • Determine the range of BIND versions affected (including the Subscription Edition)

  • Determine whether workarounds for the problem exists

  • Create a draft of the security advisory and put the information above in there

  • Prepare a detailed description of the problem which should include the following by default:

    • instructions for reproducing the problem (a system test is good enough)
    • explanation of code flow which triggers the problem (a system test is not good enough)
  • Prepare a private merge request containing the following items in separate commits: https://gitlab.isc.org/isc-private/bind9/-/merge_requests/395

    • a test for the issue (may be moved to a separate merge request for deferred merging)
    • a fix for the issue
    • documentation updates (CHANGES, release notes, anything else applicable)
  • Ensure the merge request from the previous step is reviewed by SWENG staff and has no outstanding discussions

  • Ensure the documentation changes introduced by the merge request addressing the problem are reviewed by Support and Marketing staff

  • Prepare backports of the merge request addressing the problem for all affected (and still maintained) BIND branches (backporting might affect the issue's scope and/or description)

  • Prepare a standalone patch for the last stable release of each affected (and still maintained) BIND branch

Release-specific actions

  • Create/update the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
  • Reserve a block of CHANGES placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined
  • Ensure the merge requests containing CVE fixes are merged into security-* branches in CVE identifier order

Post-disclosure actions

  • Merge a regression test reproducing the bug into all affected (and still maintained) BIND branches

Reported by Thomas Amgarten to security-officer

As described here https://www.isc.org/reportbug/, I want you to inform about a denial-of-service situation, which is triggered with a simple ssl-scanner from the kali-suite.

Using BIND-9.18.1 and a DoH-configuration like this:

http myserver {
        endpoints { "/dns-query"; };
};

options {
        listen-on port 443 tls ephemeral http myserver { 127.0.0.1; 10.100.102.21; };
        };

BIND is compiled with the following options.....

$ named -V
BIND 9.18.1 (Stable Release) <id:1a4e4c2>
running on Linux x86_64 4.18.0-305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 20:34:55 UTC 2021
built by make with  '--prefix=/usr/local/bind-9.18.1' '--sysconfdir=/opt/chroot/bind/etc/named/' '--mandir=/usr/local/share/man' '--localstatedir=/opt/chroot/bind/var' '--enable-largefile' '--enable-full-report' '--without-gssapi' '--with-json-c' 'PKG_CONFIG_PATH=:/usr/local/libuv/lib/pkgconfig/'
compiled by GCC 8.4.1 20200928 (Red Hat 8.4.1-1)
compiled with OpenSSL version: OpenSSL 1.1.1g FIPS  21 Apr 2020
linked to OpenSSL version: OpenSSL 1.1.1g FIPS  21 Apr 2020
compiled with libuv version: 1.41.0
linked to libuv version: 1.41.0
compiled with libnghttp2 version: 1.33.0
linked to libnghttp2 version: 1.33.0
compiled with json-c version: 0.13.1
linked to json-c version: 0.13.1
compiled with zlib version: 1.2.11
linked to zlib version: 1.2.11
threads support is enabled

default paths:
  named configuration:  /opt/chroot/bind/etc/named/named.conf
  rndc configuration:   /opt/chroot/bind/etc/named/rndc.conf
  DNSSEC root key:      /opt/chroot/bind/etc/named/bind.keys
  nsupdate session key: /opt/chroot/bind/var/run/named/session.key
  named PID file:       /opt/chroot/bind/var/run/named/named.pid
  named lock file:      /opt/chroot/bind/var/run/named/named.lock

....and is started like this:

$ ps -o command -u named
COMMAND
/usr/local/bind/sbin/named -4 -t /opt/chroot/bind -u named -c /etc/named/named.conf

Running the following oneliner - where 10.100.102.21 is the IP address of BIND with the enabled DoH-configuration on port TCP-443 - triggers an assertion failure in 99% of all my tries and named stops working:

$ for ((i=1; i<10; i++)); do sslyze 10.100.102.21 & done

17-Mar-2022 14:58:25.213 general: critical: netmgr/netmgr.c:1423: REQUIRE(((*sockp) != ((void *)0) && ((const isc__magic_t *)(*sockp))->magic == ((('N') << 24 | ('M') << 16 | ('S') << 8 | ('K'))))) failed, back trace
17-Mar-2022 14:58:25.213 general: critical: /usr/local/bind/sbin/named() [0x41da4d]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/bind-9.18.1/lib/libisc-9.18.1.so(isc_assertion_failed+0xa) [0x7fa283bf665a]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/bind-9.18.1/lib/libisc-9.18.1.so(isc___nmsocket_detach+0xc6) [0x7fa283be3e96]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/bind-9.18.1/lib/libisc-9.18.1.so(isc__nm_put_netievent_connectcb+0x15) [0x7fa283be4425]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/bind-9.18.1/lib/libisc-9.18.1.so(+0x2329f) [0x7fa283be529f]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/bind-9.18.1/lib/libisc-9.18.1.so(+0x239e6) [0x7fa283be59e6]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/bind-9.18.1/lib/libisc-9.18.1.so(+0x24162) [0x7fa283be6162]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/libuv-1.41.0/lib/libuv.so.1(+0x11501) [0x7fa282386501]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/libuv-1.41.0/lib/libuv.so.1(uv__io_poll+0x475) [0x7fa282396de5]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/libuv-1.41.0/lib/libuv.so.1(uv_run+0x104) [0x7fa282386c24]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/bind-9.18.1/lib/libisc-9.18.1.so(+0x23a7f) [0x7fa283be5a7f]
17-Mar-2022 14:58:25.213 general: critical: /usr/local/bind-9.18.1/lib/libisc-9.18.1.so(isc__trampoline_run+0x15) [0x7fa283c1cf35]
17-Mar-2022 14:58:25.213 general: critical: /lib64/libpthread.so.0(+0x815a) [0x7fa28190b15a]
17-Mar-2022 14:58:25.213 general: critical: /lib64/libc.so.6(clone+0x43) [0x7fa28163add3]
17-Mar-2022 14:58:25.213 general: critical: exiting (due to assertion failure)

The patch for 9.18.2:

sslyze-crash-fix-9.18.2.patch

0001-CVE-2022-1183.patch

Edited Jun 27, 2022 by Michał Kępień
Assignee
Assign to
Time tracking